As you may know, lately Active Directory Security seems to have been getting a lot of attention from traditional network security / hacking / cyber security folks (both on the good and the not-so-good side), many of whom may actually be new to the subject of Active Directory Security, and most of whom seem to be primarily interested in identifying privileged users in Active Directory.

As you may also know, there are primarily two categories of admins that possess privileged access in Active Directory – those that are members of the default Active Directory administrative groups (e.g. Domain Admins) and thus have complete and unrestricted access, and those for whom varying levels of privileged access may have been delegated/provisioned in Active Directory.

Now, while identifying privileged users that may be members of the default administrative groups is straightforward, identifying exactly who is actually delegated what administrative privileges in Active Directory is not straightforward, and thus at many organizations, IT personnel often end up not taking delegated admins into account when identifying privileged users in Active Directory.

As a result, in many Active Directory deployments there are many accounts that may not be members of the default administrative groups, yet possess varying levels of privileged access in Active Directory, and in many cases, these accounts may have sufficient privileges so as to be able to either directly or indirectly control various unrestricted privileged accounts in Active Directory.

For instance, consider the domain user account of an individual named John Doe, who may not be a member of any default admin group in Active Directory, but for whom there may exist a security permission in the access control list (ACL) of the AdminSDHolder object that effectively grants him the Reset Password extended right and/or the Write-Property Member security permission. Even though John Doe isn’t a member of any default AD administrative group, he is for all practical purposes a Domain Admin since he has sufficient effective access so as to be able to reset every Domain Admin equivalent account’s password as well as sufficient effective access so as to be able to change the membership of every default administrative group in Active Directory!

It is such accounts that, those who may be new to the subject, have been referring to as Stealthy Admins in Active Directory, even though those who know Active Directory well know that there are merely delegated admin accounts and/or admin accounts for whom access may have been provisioned, and thus strictly speaking, there’s nothing stealthy about them. Nonetheless, to those who may be new to the subject, they may appear to be stealthy as they’re not members of the default administrative groups, which in a way perhaps make such accounts hard to identify.

In that presentation, a whitepaper on which can now be downloaded from here, its authors have presented what may seem like a ground-breaking revelation to those uninitiated to the subject.

Earlier this month, I shared how organizations can easily identify and thwart sneaky persistence in Active Directory based on “hiding” objects in Active Directory within just minutes. I had also said that while amateurs rely on this technique, proficient perpetrators rely on using what I called “real” sneaky persistence in Active Directory, a way to hide that’s a 100 times harder to detect.

“Real” sneaky persistence in Active Directory is a technique via which a proficient perpetrator could plant backdoors inside Active Directory access control lists (ACLs) that would be extremely difficult to identify with the naked eye (or even with basic Active Directory permissions analysis tooling) yet allow the perpetrator to gain unrestricted privileged access in Active Directory at will. Simply put, it involves exploiting the sophistication of Active Directory’s powerful security model and the sheer complexity of the ocean of Active Directory security permissions that exist in the thousands of Active Directory ACLs that exist in every Active Directory domain to hide in plain sight wherein none of it is obvious, yet all of it leads to the “Keys to the Kingdom.”

Earlier this week, I also shared how organizations can identify and thwart “real” sneaky persistence in Active Directory with equal ease. Indeed, “real” sneaky persistence is very powerful, effective and dangerous, and likely a clear and present danger, but fortunately today every organization that wishes to identify and mitigate the risk posed by “real” sneaky persistence can today do so.

Today, the cyber security of every organization’s foundational Active Directory deployment is paramount to their security because Active Directory is the bedrock of organizational cyber security.

Considering that 100% of all major recent cyber security breaches including Snowden, Target, JP Morgan, Sony, Anthem and the OPM data breach involved the compromise and misuse of just one Active Directory Privileged User account, and considering the potentially colossal impact that an Active Directory Security breach could have on an organization, what else could be more important?

Now, for many years perpetrators have been using credential-theft attacks (Pass-the-Hash, Golden Tickets etc.) to gain privileged access in Active Directory, predominantly by targeting Windows machines to steal any administrative credentials that could be locally found on them. However, as credential-theft attacks become harder to enact, perpetrators have started shifting their focus and efforts on directly targeting and exploiting weaknesses within the Active Directory itself. The most concrete evidence of this is the introduction of the DCSync feature in the credential-theft hacking tool Mimikatz, that can exploit and leverage the presence of unauthorized/excessive “effective permissions” in Active Directory to effortlessly compromise the credentials of all domain accounts.

In our vast global experience of having assisted thousands of organizations from across the world for over a decade now, we have found that the foundational Active Directory deployments of most organizations worldwide may not yet be sufficiently protected from attacks aimed directly at identifying and exploiting such weaknesses within the Active Directory itself, primarily due to a complete lack of technical guidance (and consequently a lack of sufficient awareness) on the most critical aspects of Active Directory Security.

Thus, to help Microsoft (and organizations worldwide) better understand what it takes to sufficiently enhance the security of foundational Active Directory deployments worldwide, starting May 22, 2017, we will conduct a free 30-day blog series titled Advanced Active Directory Security School. For 30 days, each day, we will address a new topic. A shareable flyer can be downloaded here.

Everyone working on Active Directory and Cyber Security at Microsoft (and anywhere else), including Microsoft’s Windows/AD Product Dev Team, Azure Team, Cyber Security Team, Microsoft Consulting Services, Product Support Services, TwC Group, Microsoft IT, etc. is cordially invited, as are all IT and Cyber Security professionals at thousands of organizations across the world.

Today, I would like to cover a paramount cyber security topic, one that is at the very heart, root and foundation of organizational cyber security worldwide – Active Directory Effective Permissions.

Before I share its technical and other salient aspects, I should mention that not a single organization in the world that today operates on Microsoft Active Directory can be adequately secured without possessing this paramount cyber security capability, simply because nothing (i.e. not a single object) in Active Directory can be secured without possessing this fundamental capability

In other words, from Microsoft to the entirety of the Fortune 1000, and from the White House to the entirety of all government organizations worldwide, every organization requires this capability.

That said, let me share with you what Active Directory Effective Permissions
are and why they are paramount to cyber security today…

Active Directory Effective Permissions

Most simply put, Active Directory Effective Permissions are the security permissions that are effectively granted to various individuals in an organization on various objects in their Active Directory.

They keyword here is effective(ly) so let’s take a minute to comprehend it.

As you may know, in every IT infrastructure powered by Microsoft Windows Server platform, literally every building block of organizational cyber security, from the entirety of all organizational user accounts and privileged user accounts, to the computer accounts of the entirety of the organization’s computers, to the entirety of domain security groups used to facilitate secure access to all IT resources across the network, as well as the entirety of all group policies that are used to manage all organizational computers as well as their security, is an object in Active Directory.

Since each one of these objects, i.e. user accounts, computer accounts, security groups and policies etc. also need to be managed, Active Directory lets organizations precisely delegate/provision varying levels of access on these objects so as to enable organizational IT personnel and other involved stakeholders to be able to manage, modify and secure these Active Directory objects.

To do so, Active Directory protects each such object with a security descriptor that contains, amongst other parts, an access control list ACL, which is simply a collection of zero or more access control entries (ACEs), each one of which exists to Allow or Deny a specific type of access i.e. security permissions, to a specific security principal i.e. a user, security group, well-known SID etc.

Now, speaking of security permissions, Active Directory’s security model offers a rich set to choose from. There are almost a dozen generic security permissions (Read Control, List Child, List Object, Write Owner, Write DACL, Standard Delete, Delete Tree, Create Child, Delete Child, Read Properties, Write Properties), over five dozen specialized security permissions known as Extended Rights that control specific actions as well as several Validated Writes, so many security permissions could be specified for a specific security principal.

A highly simplified description of how it all comes into play is that when a specific security principal (such as a user, a computer or a service account) attempts (i.e. requests access) to perform a specific operation (that is controlled by one of the above mentioned Active Directory security permisisons) on a specific Active Directory object, the system subjects the request to an access check, which involves considering the security principal’s identity and its security affiliations (i.e. its security group memberships), then analyzing the target Active Directory object’s security descriptor (i.e. the various security permissions specified in the ACEs that comprise its ACL) to determine whether or not the requested access is effectively allowed. If it is, access is allowed, else, it is denied.

In short, simply put, if a security principal has the effective access (i.e. effective permissions) that it is requesting on an Active Directory object, then the access will be granted, else it will be denied.

To tie this to a real-world example, if an intruder attempts to reset the password of a Domain Admin, if he/she has sufficient effective permissions to do so on the object, the request will be allowed. Similarly, as you may know, if an intruder attempts to replicate secrets from Active Directory, if he/she has sufficient effective permissions to do so on the domain root, the request will be allowed. Likewise, if an intruder attempts to modify the permissions on AdminSDHolder in Active Directory, if he/she has sufficient effective permissions to do so on the object, the request will be allowed.

(As you probably know, if an intruder could successfully enact either of the above, it’d be Game Over right then and there, and strictly speaking, the entire organization would be compromised.)

To make a long story short, every technical operation that can be performed on an Active Directory object (i.e. in business parlance, every administrative task that a user can enact on an IT asset stored in Active Directory) is based on a user having sufficient effective permissions to do so. If the user has the sufficient effective permissions, he/she will success, else he/she will fail.

The (trillion $) keyword here is effective permissions, which is best understood with an illustrative example.

An Illustrative Example

This esoteric yet paramount technical concept is best understood with an illustrative example, so let’s consider the ACL protecting the CEO’s domain user account –

As you can see, its complicated. There are many security permissions specified in the ACEs that comprise the ACL. Some security permissions are allowed, while others are denied, and some are specified explicitly while others have been inherited from the object’s parent. Further some apply to the object while others exist only to be inherited down by child objects. Finally, some are simple and specific such as Reset Password, while others are a combination of multiple permissions (displayed as Special) and then there are those that grant all permissions (displayed as Full Control.)

Given the complicated set of security permissions in an Active Directory object’s ACL, how does one determine what permissions a user is actually (i.e. effectively) entitled to on it, considering –

Security groups may be nested to multiple levels, thus effectively specifying access for large numbers of individuals

There are over eighty different kinds of permissions and rights that could be granted or denied to security principals

Permissions granted to a user in one ACE may be denied to the same user or security group in another ACE

Permissions granted in an inherited ACE may be overridden by permissions specified in an explicit ACE

Permissions specified in an ACE may or may not control access depending on the characteristics of the ACE

A user could belong to multiple nested security groups, some of which may be allowed, and some denied, permissions

Etc. Etc …

For instance, a user John could be a member of many groups including say, A1 and D1. Now group A1 may be a member of group A2 which may be a member of group A3 which may be allowed Reset Password in an ACE in the ACL above, while group D1 may be may be a member of group D2 which may be a member of group D3 (which could also be a member of D2 i.e. a circular group membership, and) which may be denied Special (i.e. multiple) permissions in another ACE in the ACL above. Further there may be a permission denying Domain Users some access, and allowing Authenticated Users some access; both of these permissions will also influence John’s resulting (effective) access.

In light of these specific permissions, as well as other ones in the object’s ACL, whether or not John can actually reset the CEO’s password would be determined by the collective impact of all the security permissions in the object’s ACL, considering their characteristics (Allow, Deny, Explicit, Inherited, Applicable, N/A etc.) in light of all factors that influence resulting access in Active Directory.

In essence, simply put, Active Directory Effective Permissions are the resulting/resultant set of permissions (RSOP) that a user is entitled to on an Active Directory object, considering all the security permissions that exist in that object’s ACL, including permissions that may or may not directly specify access for the user, and in light of all factors that influence resulting access in Active Directory.

Thus, as one can see, in order to accurately determine the effective permissions granted to one or more users on this Active Directory object, one would have to methodically take into account every aspect and rule of Active Directory’s sophisticated security model, to make this determination, and of course do so with 100% precision, each and every time, one needed to determine this.

In other words, the accurate determination of effective permissions on Active Directory is by no means, easy. It is also certainly neither the same as nor as easy as performing a simple Active Directory Permissions Audit, or for that matter attempting to write a simple (or even a very complicated) PowerShell script to do so. In fact, it is an order of magnitude more difficult to do so.

The Importance of Active Directory Effective Permissions

The ability to be able to accurately, efficiently and adequately determine effective permissions in Active Directory, i.e. on Active Directory objects is paramount to organizational cyber security today.

It is paramount because neither Active Directory itself, nor any of its content can be adequately secured without possessing the ability to assess who what effective permissions in Active Directory.

Consider this – What is the only way to answer each one of the following questions –

Exactly how many privileged users are there in an organization’s Active Directory?

Exactly how many privileged security groups are there in an organization’s Active Directory?

Exactly who can reset the password of a privileged user to elevate privilege in an organization’s Active Directory?

Exactly who can modify the group membership of a privileged security group to elevate privilege in an organization’s Active Directory?

Exactly who can instantly replicate secrets from Active Directory, and thus compromise the credentials of all accounts by using a tool such as Mimikatz DCSync?

Exactly who manage the domain user accounts of the organization’s executives (Chairman of the Board, CEO, CFO, CIO, CISO etc.) in an organization’s Active Directory?

If Smartcard authentication or other similar defense-in-depth measures (i.e. band-aids) are in use, exactly who can instantly disable their use in the organization’s Active Directory?

The answer: Active Directory Effective Permissions.

Each one of the questions posed above are paramount to organizational cyber security today, and the only way to answer them is to determine effective permissions/access in Active Directory.

(Those who truly understand Windows Security know that not a leaf moves in Microsoft’s ecosystem without the Active Directory being involved. In a typical day, the Active Directory is involved hundreds of thousands if not millions of times that organizational employees go about doing their work, and in each case, Active Directory effective permissions influence the involved access.)

The Active Directory Effective Permissions Tab

The importance of effective permissions to Windows Security is best evidenced by the fact that of the four tabs in Microsoft’s native Active Directory management tooling, the first three being Permissions, Auditing, and Owner(ship), the fourth tab is for Effective Permissions. Thus, effective permissions are at least as important as are Permissions, Auditing and Owner(ship) –

Active Directory Effective Permissions Tab

Sadly, as important as effective permissions are, Microsoft’s Effective Permissions Tab for Active Directory is not only not 100% accurate, it is substantially inadequate (; been so for a decade now.)

Here’s why –

It is not always 100% accurate, since it self-admittedly does not take all relevant factors into account

Most importantly, it can only determine (an approximation of) effective permissions (granted to) ONE user at a time

Finally, it cannot identify the underlying permissions in the object’s ACL that entitle a specific user to a specific effective permission

Although the inability to be 100% accurate in itself renders it unreliable and virtually useless (because when you’re trying to secure the very foundation of security, accuracy is paramount), the fact that it can only determine (an approximation of) effective permissions one (specifiable) user at a time also makes it almost practically unusable, because then the only way to definitively determine who has what effective permissions on a specific Active Directory is to enter the identities of all of the organization’s users ONE by ONE, to discover all those who do have effective permissions granted on the object, and to rule out all those who don’t have any effective permissions on the object. Such a laborious process could easily take days, if not weeks, per object, each time.

Finally, assuming that an organization is able to use it to accurately determine effective permissions in Active Directory and identify all individuals that currently possess effective permissions on an object, including those who are not supposed to be in possession of the same, the Effective Permissions Tab provides no indication whatsoever as to which underlying security permissions in the object’s ACL end up entitling these unauthorized users to these effective permissions. In other words, the HOW component is missing, and that is what makes it substantially inadequate.

For the sake of completeness, let me also mention that virtually all of Microsoft’s tooling that offers any ability to do any type of effective permissions analysis, such as dsacls, acldiag etc. all have the same deficiencies. In addition, most of the technical guidance and scripts provided/available on Microsoft TechNet are substantially inaccurate, as is this dangerously inaccurate free tooling.

Amazingly, today there are 100s if not 1000s of cyber security / enterprise security companies in the world, yet not one of them has a solution to audit effective permissions in Active Directory.

Except One

We are Paramount Defenses, and as its CEO, it is my privilege to share with you the world’s only accurate and adequate Active Directory Effective Permissions Calculator –

Six months ago we made the simple claim that we are the most important and valuable cyber security company today. In days to come, I will easily substantiate that claim, but/and before I can do so, I’d like to share with you the Top-10 ways in which an intruder or a rogue/coerced insider could gain Domain Admin privileges (i.e. the Keys to the Kingdom) in an Active Directory environment.

The reason this is so important, and in fact paramount, is that the compromise of a (even a single) privileged user’s account can easily result in a massive system-wide cyber security breach. Ask any well-informed CEO, CIO or CISO and they’ll tell you that this is the #1 cyber security challenge facing their organization and most organizations today. In fact, 100% of all major recent cyber security breaches (e.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of a single Active Directory privileged user account i.e. a Domain Admin* account.

So, without further adieu, here are the Top-10 ways in which an intruder could easily gain Domain Admin privileges in an Active Directory environment –

Top-10 Ways to Become a Domain Admin in an Active Directory Environment –

Use the DCSync feature of the mimikatz hacking tool to obtain credentials of all domain accounts, including those of all privileged user accounts

I should mention that these are merely the Top-10 ways to do so. There are many many more ways in which one could accomplish this objective, simply by modifying content in Active Directory.

An intruder only needs to find out who has sufficient effective permissions to be able to perform any one of the above, then compromise any one of those accounts, to have a golden starting point.

Incidentally, not a single one of these ways (mentioned or alluded to above) involve passing hashes or meddling with Kerberos tickets; they merely involve modification of Active Directory content.

The astute mind will have already deduced that these attack vectors can be mitigated by possessing one fundamental cyber security capability, which most organizations do not yet possess today.

In my next post, I will shed light on that one fundamental cyber security capability as well as substantiate our simple claim. (The astute mind will already have made the connect.) Stay tuned.

Best wishes,
Sanjay

PS: This, i.e. 10 ways to gain Domain Admin privileges in Active Directory, is merely the Tip of the Iceberg, when it comes to what someone could do if they could modify Active Directory content.

PS2: Its 2016, not 2006. Ideally Microsoft should have helped its customers understand and mitigate these foundational risks years ago, by at the very least providing vital adequate technical guidance. Unfortunately, the underbelly of most organizations continues to remain vastly vulnerable to these risks, so considering the stats (100%), we felt an obligation to shed light on them.

Apologies for the delay. In light of recent global events (i.e. the U.S. Elections) which are believed to have been influenced by possibly the world’s biggest cyber security breach yet, I just wanted to let the dust settle prior to commencing sharing perspectives, since what we have to share concerns the foundational cyber security of both business as well as government organizations worldwide.

Before I can substantiate our claim, I would like to respectfully share some fundamental yet paramount cyber security insight for all business and government organizations worldwide, in the form of a cogent presentation on Active Directory Security, that we built and released last month to help Microsoft, as well as all cyber security companies, better understand foundational cyber security –